Yaojie Li

Date of Award

Spring 5-2018

Document Type


Degree Name

Doctor of Business Administration (DBA)


Computer Information Systems

First Advisor

Thomas F. Stafford


This dissertation is intended to interpret, analyze, and explain the interplay between organizational structure and organizational information systems security by mapping structural contingency theory into three qualitative studies. The research motivation can be attributed in two ways. First, Johnson and Goetz's (2007) conception of embedding information in organizations as part of their field research interviewing security executives serves as a methodological inspiration for the series of three studies reported here. The point that security should be infused into organization activities instead of serving as a "bolted-on" function is a central tenet guiding the development of this dissertation. Second, a macro approach is employed in the studies reported here, aimed at a theoretical expansion from existing behavioral security studies which typically take a micro perspective, while mitigating potential theoretical reductionism due to a predominant research concentration on individual components of organizational information security instead of the holistic function of the firm. Hence, this dissertation contributes to the behavioral organizational security research by positing a theoretical construct of information-securing, an organizational security process which is essentially characterized by dualism, dynamism, and democratism. With a macro organizational perspective on the elements of information securing, organizations can effectively discover and leverage organization-wide resources, efforts, and knowledge to cope with security contingencies.

The first study of this dissertation is designed to investigate the nature of employees’ extra-role behaviors. This study investigated how employees might sometimes take steps beyond the requirements of the organizational-level security policy in order to facilitate effective workgroup operation and to assist less-skilled colleagues. The second study of this dissertation conducts an interpretive study of the role of information systems auditing in improving information security policy compliance in the workplace, with a specific focus on the role of non-malicious insiders who unknowingly or innocuously thwart corporate information security directives by engaging in unsafe computing practices. The last study of the dissertation explores the interplay between organizational structures and security activities. The organizational perspective of security bureaucracies is developed with three specific bureaucratic archetypes to define the evolutionary stages of the firm’s progress through evolving from coercive rule-based enforcement regimes to fully enabled and employee-centric security cultures in the workplace. Borrowing from Weberian metaphors, the characterization of security bureaucracies evolving from an “iron cage” to an “iron shield” is developed.

These three studies revolving around the general notion of information-securing are deemed to be a promising start of a new stream of organizational IS security research. In order to enrich and extend our IS security literature, the perspective advocated in this dissertation suggests a shift in the epistemological paradigm of security behaviors in organizations from the prevailing micro views to macro perspectives which will result in very useful new perspectives on security management, security behaviors and security outcomes in organizations. GS Form 14 (8/10) APPROVAL FOR SCHOLARL